一、注册密码复杂度
通过js判断,找到一简单好用代码以供参考:
function
CheckPassword(password)
{
var
strength =
new
Array();
strength[0] =
"Blank"
;
strength[1] =
"Very Weak"
;
strength[2] =
"Weak"
;
strength[3] =
"Medium"
;
strength[4] =
"Strong"
;
strength[5] =
"Very Strong"
;
var
score = 1;
if
(password.length
<
1)
return
0;
//return strength[0];
if
(password.length
<
4)
return
1;
//return strength[1];
if
(password.length >= 8)
score++;
if (password.length >= 10)
score++;
if
(password.match(/\d+/))
score++;
if
(password.match(/[a
-
z]/) &&
password.matc h(/[A
-
Z]/))
score+ +;
if
(password.match(/.[!,@,#,$,%,^,&,*,?,_,~,
-
,£,(,)]/))
score++;
return strength[score];
}
二、失败登录处理
自定义FORM_LOGIN_FILTER,重载UsernamePasswordAuthenticationFilter的attemptAuthentication方法,判断用户登录失败信息,进行用户锁定等。
https通讯
配置 <intercept-url>标签的requires-channel属性,例如:
<http> <intercept-url pattern="/secure/**" access="ROLE_USER" requires-channel="https/> <intercept-url pattern="/**" access="ROLE_USER" requires-channel="any"/> </http>
三、密码MD5密文保存
配置如下:
<!-- 密码编码 -->
<
b:bean
id
=
"passwordEncoder"
class
=
"org.springframework.security.authentication.encoding.Md5PasswordEncoder"
></
b:bean
>
<!-- 认证管理 -->
<
authentication-manager
alias
=
"am"
>
<
authentication-provider
>
<!-- <password-encoder hash="md5"/> -->
<
password-encoder
ref
=
"passwordEncoder"
>
<
salt-source
user-property
=
"username"
/>
</
password-encoder
>
<
jdbc-user-service
data-source-ref
=
"dataSource"
/>
</
authentication-provider
>
</
authentication-manager
>
四、会话超时
在web.xml配置:
<!-- 设置session 超时时间为20分钟 -->
<
session-config
>
<
session-timeout
>
20
</
session-timeout
>
</
session-config
>
五、并发会话控制
配置如下:
<
b:bean
id
=
"sas"
class
=
"org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"
>
<
b:constructor-arg
name
=
"sessionRegistry"
ref
=
"sessionRegistry"
/>
<
b:property
name
=
"maximumSessions"
value
=
"1"
/>
<
b:property
name
=
"exceptionIfMaximumExceeded"
value
=
"true"
></
b:property
>
<
b:property
name
=
"alwaysCreateSession"
value
=
"true"
></
b:property
>
</
b:bean
>
最大会话数1,超出报错,总是创建新会话
六、跨站脚步攻击
编写过滤程序,对参数和header进行字符过滤。配置如下:
<!-- Avoiding XSS -->
<
filter
>
<
filter-name
>
XssFilter
</
filter-name
>
<
filter-class
>
sp.common.XssFilter
</
filter-class
>
</
filter
>
<
filter-mapping
>
<
filter-name
>
XssFilter
</
filter-name
>
<
url-pattern
>
/*
</
url-pattern
>
</
filter-mapping
>
七、禁用WebDav等不安全Http方法
修改web.xml
<
web-resource-collection
>
<
url-pattern
>
/*
</
url-pattern
>
<
http-method
>
PUT
</
http-method
>
<
http-method
>
DELETE
</
http-method
>
<
http-method
>
HEAD
</
http-method
>
<
http-method
>
OPTIONS
</
http-method
>
<
http-method
>
TRACE
</
http-method
>
</
web-resource-collection
>